The Growing Cyberthreat from Iran: The Initial Report of Project Pistachio Harvest
[ Page 3 ]
Iran’s cyberwarfare capabilities do not yet seem to rival those of Russia in skill, or of China in scale. The community of high-end hackers in Iran remains relatively small and constrained to some extent by infrastructural limitations resulting from sanctions— and the sheer difficulty of building a robust network in Iran’s physical and political terrain. We have not seen evidence that Iran is capable of penetrating US national security or critical infrastructure systems outfitted with modern, best-practices cyberdefense systems.
The Iranian cyberthreat is not yet unmanageable, but it is growing rapidly. The US must rapidly develop and implement laws, sanctions, systems, and proce- dures to defend against this threat, lest we be surprised some day by a preventable cyber calamity.
[ Page 8-9 ]
Iranian leaders began speaking seriously about soft war in 2008 when they concluded that President George W. Bush was unlikely to attack Iran militar- ily, given the difficulties he faced in Iraq and pressures against war back home.18 Khamenei described soft war in November 2009 as “a mixture of cultural means and advanced communication equipment to spread lies and rumors and cause doubt and divisions among the people.”19 The Iranian Armed Forces General Staff announced the establishment of a national headquar- ters from which to wage soft war in December 2012.20 That announcement was followed in October 2013 with news that Iran was setting up a soft-war headquar- ters in each province.21
The Iranian military identified the Internet as one of the main enemies in this soft war, declaring, “[It is] not an instrument of threat or espionage. It’s a spy itself.” The head of Iran’s Law Enforcement Forces in 2012 called Google an “instrument of espionage.”22 The IRGC called for national mobilization against the Internet threat in 2014, saying, “Amid the soft war, all the society’s strata, including the youths, university students and professors, should strive to confront the enemies’ threats and thwart their plots.” Its spokesman reported that it had developed plans “both to fight and prevent the soft war, and that all soft-power factors have been employed for an all-out confrontation with soft war.”23 This is the framework within which current Ira- nian cyber policy is developed and executed.
[ Page 9 ]
The Iranian regime’s commitment to armed and unarmed struggle against the West has not been in any way diminished by the recently announced frame- work agreement. It is, on the contrary, hardwired into the Islamic Republic’s justification for its very existence and rule. Ayatollah Ruhollah Khomeini constructed the ideology that now guides Iran by combining his own theological innovation (the “guardianship of the jurisprudent,” or velayat-e faqih) with anti-Zionism and anti-colonialism, which rapidly evolved into explicit anti-Americanism. The current regime’s efforts to expel the United States from the Middle East spring from the original anti-colonialist roots of Khomeini’s ideology, which was shaped by the narrative that the US, as the inheritor of Britain’s imperial power and designs, sought to dominate, oppress, and secularize the Muslim world.
The regime justifies the repression of its own people by arguing that all manifestations of anti-regime sentiment are caused by the interference of the West and/or America’s determination to destroy the Islamic Republic and regain imperial control over the Middle East.24 It justifies its military and terrorist activities as part of the “resistance to American imperial aggression, of which it sees itself as the leader. Anti-Americanism and the belief in a current and ongoing state of war between Iran and the United States are essential elements of the Islamic Republic’s raison d’état that cannot be dispelled without fundamentally altering the character of the Iranian state.
[ Page 43 ]
It is difficult to imagine a future in which Iran does not become a significant cyberthreat to Ameri- can national security. We must begin considering and shaping our response to that threat today. The current sanctions regime allows for a potentially much more rig- orous policing of Western cyberinfrastructure to deny Iran the ability it now has to rent the most advanced computer systems from the West to use in attacking the West. It could also be tightened to further hinder Iran’s ability to acquire and import advanced hardware and software with which to build its indigenous IT infra- structure. These options are lost, however, if the current sanctions regime is dismantled completely, a distinctly possible outcome of the nuclear framework agreement just concluded.
[ Page 42 ]
Iran has become a significant player in the cyberattack arena. Its threat is no longer confined to patriotic hackers defacing websites. Individuals, companies, and regime organs have all evolved sophisticated cyberattack capabilities and have developed global infrastruc- ture with which to expand and improve them. These capabilities are more concerning because they do not appear to have been developed primarily for mercenary reasons. They seem, rather, to be used in the service of the security and ideological interests of the regime.
The Iranian attacks against Norse sensors, together with the attacks conducted against JPMorgan Chase, Saudi Aramco, and the Sands Casino, provide a glimpse into the motivations of the hackers. These attacks were clearly not profit-driven. They penetrated three wealthy organizations and sought to destroy data rather than steal intellectual property or money. The attack on Aramco served the interests of the Iranian state directly; the one on Sands seems to have been driven by Iranian nationalism. Significant increases in attack volume on Norse sensors generally correlate with rising tensions with the West and/or perceived attacks or insults to Iran.
[ Page 42 ]
It is also easy to see how the general doctrines and approaches of the Iranian security services and foreign policy organs are being mapped to Iran’s new activi- ties in cyberspace. Iran’s hackers appear to move easily between ostentatious attacks and defacements and very quiet preparations for future operations, just as Iran’s security and intelligence forces do. They main- tain a similar two-track system of responding overtly to perceived attacks against Iran while continuing covert efforts to expand their abilities to conduct future attacks. They seem to prefer to operate as individuals or small groups with plausibly deniable links to the state, just as their militant proxies throughout the region do, as opposed to the overt state control China maintains over its hackers. Iranian hackers rarely claim to be fully independent of the state, like Russian “hacktivists” do, and acknowledge their relationship with state and security entities from time to time. In this respect they are like Shi’a militias in Iraq and Syria, who maintain their nominal independence from Iran while explicitly recognizing their relationships with Tehran, the assistance they receive from Iran, and their loyalty to Iran’s values.108
[ Page 43 ]
One thing is certain, however: any significant loosening of sanctions on Iran will facilitate Tehran’s efforts to develop its cyberattack capability. Iran would almost certainly considerably augment its already-impressive ability to monitor and control its people while dramatically expanding its internal cyber capabilities. It is also likely to extend its international cyber footprint while continuing efforts to compromise Western systems.
Iran’s leaders have described expansive plans to enhance their country’s IT infrastructure, education, and training. Relaxing sanctions will allow them to accelerate and grow those plans even more. That will mean more resources to Iranian students and honest hardware and software developers, but also to malicious groups like Ashiyane and members of university faculties and research institutions that work closely with Iran’s government and security forces.
[ Page 43 ]
The Iranian regime continues to seek effective deter- rents to potential US or Israeli military strikes. Still, it is not confident—rhetoric aside—that it can build its own adequate conventional military defense any time soon. It has, therefore, developed a wide variety of other means by which to threaten to inflict pain on a potential attacker, ranging from the tens of thousands of rockets deployed in Lebanon and Gaza to the thousands of small boats and minelayers supposedly ready to close the Strait of Hormuz, to the missiles able to hit American military facilities throughout the Persian Gulf region. Cyberattack capabilities are obviously a significant addition to this deterrence and escalation- management arsenal, and one that might prove to be extremely cost-efficient in an asymmetric conflict against a major power.
In American strategic thinking, a US military attack on Iranian soil could be a proportionate response to an Iranian attack on an American military base in Bah- rain or Qatar. The Iranians likely do not see things that way. For them, the proportionality would be meeting an attack on their homeland with an attack on ours— but such an attack will be beyond their conventional military capabilities for a long time to come. For Iran, a cyberattack is a promising avenue by which Tehran could bring any future conflict to American soil, espe- cially since it offers a way to do so that is graduated and potentially unattributable and may or may not involve casualties and the destruction of physical infrastructure.